1381802270 J * paradigm-X ~username@pool-71-170-154-175.dllstx.fios.verizon.net 1381803223 N * l0kit Guest2400 1381803228 J * l0kit ~1oxT@0001b54e.user.oftc.net 1381803631 Q * Guest2400 Ping timeout: 480 seconds 1381806027 Q * paradigm-X Ping timeout: 480 seconds 1381807006 J * paradigm-X ~username@pool-71-170-154-175.dllstx.fios.verizon.net 1381807018 M * paradigm-X I found that it seems as though I must have the host network adapters configured in order to make use of the guest's networking, but is there any reason why I cannot give the host adapters inaccessible IPs in order to keep them from having access to the same networks as those used by guests? Or is the only other solution to create firewall rules to drop network packets from host IPs? 1381807660 M * Bertl the network interfaces are usually shared between host and guest (unless you use network namespaces) 1381807700 M * Bertl but there is no reason to have host IPs at all unless you need them for reaching the host for administrative purposes 1381807742 M * Bertl and of course, you can have host only IPs use a different network than the guests 1381807838 M * paradigm-X Hello, Bertl. 1381808183 M * paradigm-X I want to be able to eliminate host networking while maintaining guest networking. I have a machine with two guests. I maintain one guest using the other guest when necessary. I have direct access to the machine itself. I have one of these guests "constantly" accessing the internet as well as one other VM (not vserver) on the LAN. 1381808285 M * paradigm-X The machine has two adapters: one accessing the internet, the other accessing the other machine's (nonVServer) VM. 1381808340 M * Bertl well, just don't assign any host IPs then 1381808352 M * paradigm-X I do not want the host having access to the networking of these two guests. 1381808380 M * Bertl the host will always have access to the guest networking 1381808397 M * Bertl that's because the guest IPs are also configured on the host 1381808513 M * paradigm-X Okay, I misspoke somewhat: I do not want the guests having any access to the host, and I do not want the host to have any other networking capabilities or access, except on such occassions where I would need to update the systems, etc., temporarily. 1381808557 M * Bertl as I said, don't assign host specific IPs, don't start any host services 1381808610 M * paradigm-X So I can simply remove the host IPs, as you pointed out. I need to look at this service thing a bit more now. 1381809045 M * paradigm-X thank you, Bertl 1381809052 M * Bertl you're welcome! 1381809867 M * paradigm-X Bertl: Did I just miss somewhere mentioning that how to set a guest's gateway? I have not seen it, and I have been doing it at the host level only. 1381810227 M * Bertl correct, the gateway and everything network related is configured on the host 1381810246 M * Bertl the guest just uses the IPs for binding ports 1381810395 M * paradigm-X It seems unusual to me that I would set up the host with a gateway IP but not an adapter IP for it too. 1381810444 M * Bertl well, there is nothing wrong with configuring a host IP, but IIRC, that is what you wanted to avoid no? 1381810508 M * Bertl in typical (secure) setups, the host has a maintainance network (with a separate network interface) or a serial connection to do actual host maintainance 1381810527 M * Bertl everything else is put in guest specific routing tables 1381810925 M * paradigm-X There is no gateway route-like entry in "/etc/vservers/vsX/interfaces", none that I have seen anyway. I would, therefore, have to use something like this command: route add default gw . But I would have no corresponding ifconfig command to configure the IP, broadcast, or mask. Is that what you meant by not assigning host specific IPs? 1381811001 M * Bertl not really related. and yes, there is no gateway in interfaces because there is no routing setup done by util-vserver 1381811368 M * paradigm-X "Not really related"? Okay, then I am not really grasping your point perhaps. :) If the guest needs to have gateway (e.g., router IP), then it must be configured in host. However, if I have no IP for host, how else would I arrange this, using a simple test case if need be? This is what I thought I illustrated with those commands. 1381811442 M * Bertl let's say you would assign ip 192.168.0.10 to the host and 192.168.0.20 to the guest 1381811471 M * Bertl and you would use 192.168.0.254 as the default gateway with a prefix of /24 1381811513 M * Bertl now if you simply do not assign the 192.168.0.10 IP at all, still the 192.168.0.20 will require the network and gateway setup 1381811601 M * paradigm-X Maybe I did not express myself well then, because we appear to be concurring. That is what I said in fact. 1381812117 M * Bertl perfect then! :) 1381812363 M * paradigm-X Do you typically see iptables firewalls configured on both hosts and guests, separately I mean? 1381812416 M * Bertl as the networking is on the host (unless you use network namespaces) all the iptables rules are also on the host 1381812683 M * paradigm-X Maybe I should take a look at the documentation at vserver.org on using namespaces in vserver. 1381814421 M * paradigm-X exit 1381814429 Q * paradigm-X Quit: leaving 1381816369 M * Bertl off to bed now ... have a good one everyone! 1381816373 N * Bertl Bertl_zZ 1381816701 J * druschka ~druschka@82.192.23.118 1381816815 Q * druschka 1381816899 J * druschka ~druschka@82.192.23.118 1381817135 Q * Defaultti Quit: Quitting. 1381817191 J * Defaultti defaultti@lakka.kapsi.fi 1381817273 Q * druschka Quit: druschka 1381817623 J * druschka ~druschka@82.192.23.118 1381820315 J * Ghislain ~aqueos@adsl1.aqueos.com 1381821982 Q * druschka Quit: druschka 1381822040 J * druschka ~druschka@82.192.23.118 1381827619 Q * ensc|w Remote host closed the connection 1381827628 J * ensc|w ~ensc@62.153.82.27 1381832630 J * BenG_ ~bengreen@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com 1381833425 Q * BenG_ Quit: I Leave 1381834415 Q * ircuser-1 Read error: Operation timed out 1381836192 J * beng_ ~BenG@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com 1381837339 J * ircuser-1 ~ircuser-1@35.222-62-69.ftth.swbr.surewest.net 1381837745 N * Bertl_zZ Bertl 1381837748 M * Bertl morning folks! 1381838346 Q * beng_ Ping timeout: 480 seconds 1381839374 Q * Aiken Remote host closed the connection 1381840994 J * beng_ ~BenG@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com 1381843560 Q * druschka Quit: druschka 1381850359 J * rawplayer ~xyzzy@shell.students.os3.nl 1381850488 Q * beng_ Quit: I Leave 1381853612 J * bonbons ~bonbons@2001:a18:224:e01:70ed:1ee3:8d6f:190f 1381858305 J * hijacker_ ~hijacker@cable-84-43-134-121.mnet.bg 1381862140 J * druschka ~druschka@82.192.23.118 1381864710 Q * druschka Quit: druschka 1381866312 Q * hijacker_ Quit: Leaving 1381866898 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f 1381869523 Q * bonbons Quit: Leaving 1381875046 Q * Ghislain Quit: Leaving. 1381875048 J * Ghislain ~aqueos@adsl1.aqueos.com 1381875531 Q * Ghislain Ping timeout: 480 seconds 1381880257 J * Ghislain ~aqueos@adsl1.aqueos.com 1381881312 M * swenTjuln Anyone from here now in NYC @Velocity ? 1381881489 J * paradigm-X ~username@pool-71-170-154-175.dllstx.fios.verizon.net